Skip to content

Terraform AWS EKS

EKS clusters with managed node groups, Fargate profiles, cluster encryption, IAM and OIDC integration, VPC networking, control plane logging, security groups, and core add-ons.

4 controls enforced10 frameworks

Controls Enforced

The following compliance controls are enforced by this module at terraform plan time.

Quick Start

module "eks" {
  source  = "acscessentialeight.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "acscism2023.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "awscontroltower.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "awsgenai.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "awswellarchitected.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cccsmedium.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cfrpart11.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cisv140.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cisv500.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cis.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cisv80ig1.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "cisacyberessentials.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "eugmpannex11.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "fedramplow.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "fedrampmoderate.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "ffiec.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "gdpr.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "hipaa.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "iso27001.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "nis2.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "nist800171.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "nist80053.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "nistcsf.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "nydfs23.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "pcidss.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "rbicybersecurity.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "rbiitfnbfc.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

module "eks" {
  source  = "soc2.compliance.tf/terraform-aws-modules/eks/aws"
  version = "<version>"

  # ... your arguments here
}

See the Get Started guide to get started and read the Features section for more details on how to customize the module for your requirements.

Migration from Upstream

Already using terraform-aws-modules? Change only the source URL:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
  version = "1.0"
}

module "eks" {
  source  = "soc2.compliance.tf/terraform-aws-modules/eks/aws"
  version = "1.0"
}

Same arguments. Same outputs. Compliance controls are enforced automatically at terraform plan. If a required value is missing, you get a clear validation error telling you what to set.

See the Migration Guide for step-by-step instructions.

Reversibility

No lock-in. Switch back by reverting the source URL to the upstream path:

module "eks" {
  source  = "terraform-aws-modules/eks/aws"
}

Run terraform init -upgrade. Terraform state is unchanged — same resource addresses, same provider, no compliance.tf-specific resources. Controls you already applied remain in AWS.

Mapped compliance frameworks

ACSC-EE-ML2-7.7: Multi-factor authentication ML2

ISM-1402: Protecting credentials

Data protection

Detection

Identity and access management

Infrastructure protection

3.3 Configure Data Access Control Lists

7.1 Data Storage - Damage Protection

164.308(a)(4)(ii)(A) Isolating health care clearinghouse functions

164.312(a)(2)(iv) Encryption and decryption

164.312(e)(2)(ii) Encryption

164.314(b)(2)(iv): Organizational Requirements

A.8.1 User endpoint devices

A.8.5 Secure authentication

A.8.11 Data masking

A.8.15 Logging

A.8.24 Use of cryptography

3 Incident handling

12 Asset management

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)

3.1.2: Limit system access to the types of transactions and functions that authorized users are permitted to execute.

3.1.3 Control the flow of CUI in accordance with approved authorizations

1.2.8: Network security controls (NSCs) are configured and maintained.

1.3.1: Network access to and from the cardholder data environment is restricted.

1.3.2: Network access to and from the cardholder data environment is restricted.

1.4.2: Network connections between trusted and untrusted networks are controlled.

1.5.1 Security controls are implemented on any computing devices, including company- and employee-owned devices, that connect to both untrusted networks

1.5.1: Risks to the CDE from computing devices that are able to connect to both untrusted networks and the CDE are mitigated.

3.5.1: Primary account number (PAN) is secured wherever it is stored.

5.3.4: Anti-malware mechanisms and processes are active, maintained, and monitored.

8.3.2: Strong authentication for users and administrators is established and managed.

8.3.2: Strong cryptography is used to render all authentication factors unreadable during transmission and storage on all system components

10.2.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.1: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.3: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.4: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.5: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.6: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.1.7: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.2.2: Audit logs are implemented to support the detection of anomalies and suspicious activity, and the forensic analysis of events.

10.3.1: Audit logs are protected from destruction and unauthorized modifications.

10.6.3: Time-synchronization mechanisms support consistent time settings across all systems.

A1.1.2: Multi-tenant service providers protect and separate all customer environments and data.

A1.1.3: Multi-tenant service providers protect and separate all customer environments and data.

A1.2.1: Multi-tenant service providers facilitate logging and incident response for all customers.

A1.2.3: Processes or mechanisms are implemented for reporting and addressing suspected or confirmed security incidents and vulnerabilities

Framework Coverage

Which controls from this module are active under each framework endpoint. ● enforced by default · ○ not activated by this endpoint

ControlAWS Well-Architected Framework v10ISO/IEC 27001:2022PCI DSS v4.0NIST SP 800-171 Rev 2ACSC Essential EightACSC ISM March 2023CIS Controls v8.0 IG1EU GMP Annex 11
EKS clusters should have control plane audit logging enabled
EKS clusters endpoint public access should be restricted
EKS clusters endpoint should restrict public access
EKS clusters should be configured to have kubernetes secrets encrypted using KMS

Showing top 8 frameworks by coverage. All framework endpoints →